[Amdatu-developers] [JIRA] (AMDATUAUTH-144) Security issue: OAuth 'plain text' encryption not denied by the OAuth server

Ivo Ladage - van Doorn (JIRA) Fri, 13 Apr 2012 05:18:24 -0700

Issue Type:	Improvement
Affects Versions:	0.2.1
Assignee:	Ivo Ladage - van Doorn
Components:	OAuth server
Created:	13/Apr/12 2:17 PM
Description:	Currently the OAuth server does not enforce that the client does not use the 'plain text' encryption method. Consumers are free to use any supported encryption method, including plain text. As a result, if a developer 'accidentally' sets the encryption method to plain text in production, the consumer key and secret are added as plain text parameters to the HTTP request. The consumer key and secret will be very easy to sniff (if not send over SSL). By default, the OAuth server should not accept PLAIN TEXT encrypted OAuth messages (unless send over SSL). Allowed encryption methods should be configurable.
Project:	Amdatu Auth
Priority:	Major
Reporter:	Ivo Ladage - van Doorn
Security Level:	Public (Issues without restricted access)

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers

[Amdatu-developers] [JIRA] (AMDATUAUTH-144) Security issue: OAuth 'plain text' encryption not denied by the OAuth server

Reply via email to